Each year, the IOUG surveys a wide range of database security and IT professionals responsible for security, and examines the current state of enterprise data security. They summarize the 2014 findings of 353 data managers and professionals in order to help educate organizations about data security.

The likelihood of a data breach has grown over the years since they first began asking this question, and is similar to other surveys of this ilk. According to the Ponemon 2014 Cost of a Data Breach Study, we see as much as 30% probability.

According to another Ponemon study "Data Breach: The Cloud Multiplier Effect," those surveyed estimate that every one percent increase in the use of cloud services will result in a 3 percent higher probability of a data breach.

When looking at history, survey respondents of the IOUG report say that they often have no idea whether a breach has occurred--or worse--is occurring:

"We cannot be certain there has been no silent breach. There is no evidence we have detected a breach or corruption. But picturing yourself as highly unlikely to be breached we feel is like wearing a ‘kick-me’ sign on your backside."

Friday Sep 12, 2014

KuppingerCole analyst Rob Newby recently (August 2014) put together an executive review of the award-winning Oracle Audit Vault and Database Firewall that you can pick up here for a fee. The paper (4 pages on AVDF, 7 total) goes into a description of the solution and how it works from both the Audit Vault, and Database Firewall perspectives. It further covers reporting and alerting, as well as integration with other Oracle products, summarizing with strengths and challenges.

Wednesday Sep 10, 2014

SANS Analyst and Instructor and well known security expert, Dave Shackleford, will be doing a review of Oracle Advanced Security on September 16, 12:00 p.m. ET/ 3:00 p.m. ET

Register now for the webcast "Simplifying Data Encryption and Redaction Without Touching the Code"

The need for organizations to protect sensitive information has never been more paramount. The risks of data breaches and sensitive data exposures are driving organizations to look for solutions, as an increasing amount of data is being stored and processed outside the perimeter, in cloud applications and service environments. Organizations must protect this sensitive data at its heart, in the databases. In this webcast, we discuss a recent review by SANS Analyst and Instructor Dave Shackleford of Oracle Advanced Security for Oracle Database 12c and its encryption and redaction capabilities.

Thursday Jul 17, 2014

Oracle database security solutions provide three means of making data at rest unreadable. We sometimes get questions about their differences.

Oracle Advanced Security

Transparent Data Encryption (TDE), a capability of Oracle Advanced Security, is transparent to applications and users by encrypting data within the Oracle Database on disk, without any changes to existing applications. TDE is available as a part of the Oracle Database, so if you have Oracle, you have Oracle Advanced Security and would simply require a license to activate.

When would you use TDE?

TDE stops would-be attackers from bypassing the database and reading sensitive information from storage by enforcing data-at-rest encryption in the database layer. Applications and users authenticated to the database continue to have access to application data transparently (no application code or configuration changes are required), while attacks from OS users attempting to read sensitive data from tablespace files and attacks from thieves attempting to read information from acquired disks or backups are denied access to the clear text data.

Data Redaction, also a capability of Oracle Advanced Security, provides selective, on-the-fly redaction of sensitive data in SQL query results prior to display by applications so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application.

When would you use data redaction?

Existing applications often return sensitive data to call center and support staff employees, or even customers that include date of birth, social security numbers, and more. Traditionally, organizations would have to access and change application source code in order to redact sensitive data. This can be error-prone, laborious, and performance-heavy. Data redaction mitigates this risk and helps organizations comply with compliance requirements, such as PCI DSS, by masking displayed data within applications.

Oracle Data Masking and Subsetting

Data Masking enables sensitive information such as credit card or social security numbers to be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-sourcing partners or off-shore teams for other nonproduction purposes..

When would you use data masking?

Data masking is used for nonproduction environments for quality assurance, testing, and development purposes. Many organizations inadvertently breach information when they routinely copy sensitive and regulated production data into nonproduction environments. Data in nonproduction environments, which can be lost or stolen, has increasingly become the target of cyber criminals. Data masking helps organizations reduce this risk and comply with compliance requirements.

Friday Jun 06, 2014

PAYBACK GmbH operates the largest marketing and couponing platforms in the world—with more than 50 million subscribers in Germany, Poland, India, Italy, and Mexico.

The Security Challenge

Payback handles millions of requests for customer loyalty coupons and card-related transactions per day under tight latency constraints—with up to 1,000 attributes or more for each PAYBACK subscriber. Among the many challenges they solved using Oracle, they had to ensure that storage of sensitive data complied with the company’s stringent privacy standards aimed at protecting customer and purchase information from unintended disclosure.

Oracle Advanced Security

By using Oracle Advanced Security, organizations can comply with privacy and regulatory mandates that require encrypting and redacting (display masking) application data, such as credit cards, social security numbers, or personally identifiable information (PII).

Thursday Feb 20, 2014

I wanted to let folks know that Todd Bottger, Oracle's product manager for ASO, has a new blog on Oracle Advanced Security. He'll be taking the conversation a lot more technical, so go subscribe to learn more.

Wednesday Oct 02, 2013

The latest edition of Oracle Magazine, headlined with Plug into the Cloud,
gives many reasons for customers to upgrade to the latest release of Oracle Database 12c .

In the article Time to Upgrade,
Michelle Malcher, President of the Independent Oracle Users Group
(IOUG) and Oracle ACE Director, says "Oracle Database 12c is packed with
several new and enhanced security features. A great new security
feature is privilege analysis, which allows DBAs to get to the bottom of
what permissions are really needed and used. How much time is that
going to save in audit reports and managing the security for least
privilege?"

To prepare for the latest edition of Oracle Database, Malcher had
an opportunity sit down and beta test the latest features with others. During this time, we captured some of her comments,
along with other beta testers, about another new feature: data
redaction (see below video).

She goes on to say "Redaction is another security features that
is easy to implement and probably will save a lot of time previously
spent having to mask data in different environments or code solutions to
hide private data and information. Setting up a comprehensive redaction
policy for users, applications, and environments can further protect
sensitive data.

Wednesday Sep 11, 2013

Organizations worldwide are scrambling to secure sensitive information
in response to regulatory pressure for protecting data privacy and
integrity, as well as protect from increasingly sophisticated attacks
targeting this data. Encrypting data in applications, however, requires
costly and complex code changes, often with disastrous performance
consequences. Fortunately these pitfalls can be avoided. Check out this video on data redaction and register to receive the latest information on this new technology in Oracle Database 12c.

Tuesday Aug 13, 2013

New to Oracle Advanced Security, Data Redaction provides selective, on-the-fly redaction of sensitive data in SQL query results prior to application display so that unauthorized users cannot view the sensitive data. It enables consistent redaction of database columns across application modules accessing the same database information. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application. Data Redaction has no impact on database operational activities such as backup and restore, upgrade and patch, and high availability clusters.

Unlike historical approaches that relied on application coding and new software components, Data Redaction policies are enforced directly in the database kernel. Declarative policies can apply different data transformations such as partial, random, and full redaction. Redaction can be conditional, based on different factors that are tracked by the database or passed to the database by applications such as user identifiers, application identifiers, or client IP addresses. A redaction format library provides pre-configured column templates to choose from for common types of sensitive information such as credit card numbers and national identification numbers. Once enabled, polices are enforced immediately, even for active sessions

Tuesday Nov 06, 2012

Regulations such as the Payment Card Industry Data Security Standards (PCI DSS), U.S. state security breach notification laws, HIPAA HITECH and more, call for the use of data encryption or redaction to protect sensitive personally identifiable information (PII).

From the outset, Oracle has delivered the industry's most advanced technology to safeguard data where it lives—in the database. Oracle provides a comprehensive portfolio of security solutions to ensure data privacy, protect against insider threats, and enable regulatory compliance for both Oracle and non-Oracle Databases. Organizations worldwide rely on Oracle Database Security solutions to help address industry and government regulatory compliance.

Specifically, Oracle Advanced Security helps organizations like Educational Testing Service, TransUnion Interactive, Orbitz, and the National Marrow Donor Program comply with privacy and regulatory mandates by transparently encrypting sensitive information such as credit cards, social security numbers, and personally identifiable information (PII). By encrypting data at rest and whenever it leaves the database over the network or via backups, Oracle Advanced Security provides organizations the most cost-effective solution for comprehensive data protection.